just another infosec blog

Learning web penetration testing

Some days ago I spent an evening on a penetration testing/white hat hacking forum and stumbled across an interesting post. A newbie wanted to know how to begin testing web applications. The question itself wasn’t any extra ordinary. Just a newbie reaching out to the community. The answer he/she/it got, man, were awful. It ranged from learning C++, learning how RAT’s works and of course, learn how to DDOS a site to hell.

There’s a reason I don’t visit such forums much. As far as I can see most of the forums are inhabited by people having no clue. It’s all about causing havoc. Since my frustration grew higher by the minute I decided to write a post on how to get a head start in the web penetration business. In this post I assume the following

You want to do a legal and ethical penetration test

You have next to none knowledge of how a penetration test is conducted

You have no programming skills

All information herein is based on the path of study I followed many, many years ago.

Learning

To become a professional penetration tester you must be willing to learn. The nature of the game changes fast! Yesterdays technologies might not be applicable on the next project. However being a newbie you must first get a solid base. Let us look into some ways to learn.

1. Reading

Be warned! Testers read a lot. Everything from obscure sources on the Net to books and everything in between. For now I’ll focus on the books. I am pretty sure you’ve at least one time in your life tried to find a book covering the subject over at Amazon (or similar) only to find there are plenty of books available. It’s kind of hard to just chose one. From my perspective, they’re all the same. Pretty much. My advice is to pick one book covering the entire penetration testing process. Just make sure there’s a section related to web application and port scanning in it. Then read it lightly so you know where to look up in it when you need to.

Next, invest in the book “The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws” by Dafydd Stuttard. This book is a bit dated, but the content is still relevant. This is a huge book. I recommend to read this book lightly so you know where to look up stuff.

2. Seeing/watching

Watching videos is a great way to learn. There’s even online classes to follow for free. Usually they are good. I would still recommend starting with the written material – though. It’s important to get the key concepts right the first time and often these videos and classes go way over your head. You have to decide if you want to take this approach.

3. Doing

By now you should at least have some knowledge to begin having fun. Don’t expect to become a professional over night though. You now have to practice – a lot. This part is actually pretty fun. In this step you’ll be using those reference books I mentioned earlier applying and refining the concepts.

In order to play it safe you need a way to practice. I recommend the following:

You can use specially crafted vulnerable web applications.

You can do war gaming

You can use various test sites

You can set up your own lab

Specially crafted vulnerable web applications

There are many web applications that is specially designed to be vulnerable right from the box. These are targeted for educational use only – not for production. Most often you will have to download an application and run it in your lab on a server. If this sound interesting, please checkout the links in the resources section or just Google it. Please notice that you might get the impression that these applications show the current state of web applications on the market. They don’t. Web applications on the market today is way more “secure” than these.

Resources

War gaming

War gaming can be thought of as hacker challenges where you complete various scenarios. Typically the challenges are divided into topic areas such as web hacking, network hacking, cryptology and many more. Often you earn points for solving each task in a scenario. You can then use these points to profile yourself in the war gaming community. War gaming is legal since you are actually playing in a sandbox environment. You’ll find some links to various war games in the resources. I used to play many war games when I was younger.

Resources

Test sites

Many producers of vulnerability scanners hosts test sites that are designed to be vulnerable. Often these producers lock their tools to only scan these sites for demo and evaluation purposes. Luckily, you can use them too without owning a vulnerability scanner. These sites operates just the same as those in my “specially crafted vulnerable web applications” section – the difference is that you do not need to download anything and the test sites are reset quite often.

Resources

Lab

Running your own lab is rewarding. You stand much freer to mix and match the web systems you want to test. Focusing on various versions of Joomla and WordPress? No sweat! Just install VMWare Player og Oracle Virtualbox and a guest OS and you’re basically there. My particular lab contains of a Lenovo laptop running VMWare Player with Debian as a guest OS. I’ve chosen Debian since Debian is … Debian and I love it. On my Debian system I run Apache, MySQL and PHP. What about CMS’s? Mainly Joomla and WordPress – complete with a range of plugins.

The downsides in my setup and in general are:

Laptop being 15″ leaves no screen estate to spare. An external monitor would solve this.

Attacking pure CMS’s is damn hard to do. Vanilla CMS’s are pretty safe without those plugins.

You got to have a big hard drive and a somewhat beefy machine.

Resources

A note if you decide to go rogue

Needless to say, going rogue testing sites in the wild is not and has never been a clever move. I know it is tempting, please restrain yourself from doing this. If you chose to go rogue you’ll fall hard. For starters, you may end up causing havoc with your attacks. Havoc that may cause serious consequences – both for the victim and YOURSELF. You may end up being fined, face jail time and/or economical losses. Most likely you’ll end up broke and with a complete loss of freedom. So – be smart, stay out of trouble.

Resources

Talk to a counselor or a psychotherapist

Ask to be voluntarily jailed or locked up at an institution.

Future

By now I hope your appetite are high and that you now want to become a professional. I intended this post to be a starter point for newbies. If your appetite is strong now I recommend the following:

Learn a web related programming language and technology. I would recommend C#, Java and PHP.